5. Structure
• Normal, English sentences that are used to describe the
entire scenario
• Each sentence contains placeholders for the various parts
of the risk
malicious competitor attacks the server-side and takes
advantage of limited server-side bandwidth and uses ddos
to cause extreme lag that lets them win a match, resulting
in frustrated users not playing the game anymore, which
could have been avoided using ddos protection.
5
7. Semantic Structure
Actor attacks Attack Surface and uses
Exploit to take advantage of
Vulnerability to try to achieve their
Goal, resulting in Negative Outcome,
which could have been avoided by Defense.
7
9. Ping + Teleport
9
1. Mess with your own connection
2. Server starts reporting your location sporadically
3. Allows you to pass through objects
4. BONUS: Avoid being attacked because you’re like a ghost
Player attacks the network and takes advantage of throttling and uses
connection degradation to cause extreme lag that lets them avoid harm,
resulting in frustrated users not playing the game anymore, which could
have been avoided using better code.
10. Moar Mosters
10
1. When logged in as an admin there are options to do lots of
things, like call monsters
2. Players figure out they can execute admin commands as well
(only the menu was missing)
3. They get in nasty PvP and call in tons of nasty mobs to crush
enemies
Player attacks the server and takes advantage of client-side filters and
uses hidden admin commands to cause in game chaos that lets them survive
pvp, resulting in frustrated users not playing the game anymore, which
could have been avoided using server-side controls.
11. Midnight Store
11
1. Game bugs required the server to be restarted at
midnight
2. If you were in the middle of a trade when the server
went down, both players got both sides of the trade
Player attacks the game and takes advantage of logic bug and uses
knowledge of bug to cause item duplication that lets them unfairly
increase loot, resulting in less need to buy things, which could have been
avoided using better code.
12. Marvel at my DC
12
1. Play a Star Wars game on Android
2. Go into Airplane Mode in the middle of the game
3. Run Android hack to automatically win
4. Reconnect, advance on the ladder
Player attacks the client and takes advantage of local hack and logic flaw
and uses local hack to cause unfair ladder win that lets them, resulting in
ladder chaos, which could have been avoided using better code.
13. Ooh Sparkly
13
1. Launching lots of graphics-intensive actions could cause frame
rate drops
2. People load up on the most graphics-intensive combos and fire
them off if they’re attacked
3. Nobody could kill them because they could run away while their
game is lagging
Player attacks the client and takes advantage of resource constraints and
uses knowledge of bug to cause unfair pvp advantage that lets them avoid
death during pvp, resulting in angry players and fewer users, which could
have been avoided using better code.
14. Pink Unicorns
14
1. Players find hidden coordinates in network stream data
2. They hack the client to show hidden items on the map
3. They find hidden players and items before everyone else
4. PK or dramatically improved farming
Player attacks the client and takes advantage of client-side filters and
uses client modification to cause see hidden content that lets them pk and
farm, resulting in frustrated users not playing the game anymore, which
could have been avoided using client integrity validation.
15. Dishonorable Mentions
15
1. Convincing players to download a mod so we can “powerlevel you”.
2. Changing your username to look like a GM, and telling people to give you their items
(for safe keeping).
3. Multiple buff stacking due to race conditions / logic flaws.
4. Death / looting issues that allow you to loot dead bodies and get their gear without the
person losing the gear when they respawn.
5. Numerous DC logic flaws, where fighting, looting, purchasing is all broken when you
DC your connection. As a developer, how would you handle it?
6. Powerleveling service takes your account for a day or so and you soon get a notification
that you’ve been banned (they used you for money laundering).
7. …etc, etc.
17. Mobile Cover Clipping
17
1. Use of a skill (Mobile Cover) allows players to skip
content
2. Skipping content allows after farming rates of bosses
Player attacks the client and takes advantage of Game Mechanics and uses
knowledge of bug to skip content that lets them farm items faster,
resulting in angry players and fewer users, which could have been avoided
using better code.
19. instancing and
checkpoints
19
1. Players able to enter a different area (instance) to re-
spawn bosses
Player attacks the client and takes advantage of Game Mechanics and uses
knowledge of bug to skip content that lets them farm items faster,
resulting in angry players and fewer users, which could have been avoided
using better code.
21. buff/talent stacking
21
1. switching gear rapidly caused buffs or talents to “stack”
allowing using talents to gain 1 shot kills, infinite money
of headshots, etc.
Player attacks the client and takes advantage of Game Mechanics and uses
knowledge of bug to Gain In-game Currency and Enhance Gear, resulting
in angry players and fewer users, which could have been avoided using
better code.
26. Future State
26
• Moar Bugz (crowdsourced)
• Continuous improvement of schema
• Additional ideas for improvement
27. Next Steps & Help
27
• If you know any game bugs, you can help out at this location:
https://docs.google.com/spreadsheets/d/
1Og08wyHsqtODBDkU_M2zHAvdxc63GSu-OmT8NjCc9Ak/
edit#gid=0
• We also just started a Slack channel, in case you don’t already
have enough of those.
28. Thanks & Contact
28
• Jason Haddix
Bugcrowd
@jhaddix
• Daniel Miessler
IOActive
@danielmiessler
https://www.owasp.org/index.php/
OWASP_Game_Security_Framework_Project